Hello.

I rarely post in AV forum as my experience with AVs is rather modest. Except NOD, which I ran for the last 2 years (yes, a past tense, NOD is gone for good), I had a short adventure with Kaspersky and that pretty much sums it all. So I could use a little help in choosing an AV :)
What I actually need is a dedicated on-demand AV with a command line scanner. A CL scanner is essential, as I want to integrate it in SSM. (SSM will then give the option to manually scan every triggered file directly from the popup)
ClamWin first came to my mind and I thought it would fit perfectly in the equation. It does not run in any way until requested and has a command-line executable. No service, no driver, no unnecessary bloat whatsoever. Just a scanner. I actually like it very much (yes GUI too lol), but ClamWin is somewhat out of focus on Wilders, to say the least, so that makes me a bit wary. iirc when I last looked its detection rates were not stellar, is this getting better? If Clam's generally not recommended, are there similar alternatives? I don't need an AV with 99% detection rate, but I wouldn't mind using one as long as it satisfies all my needs - 0 resources, 0 drivers/services, CL scanner. How about Avira or AVG? Avira has a driver loaded even if the guard is not installed, right? I may be wrong though...
Being free is not a requirement, but on-demand AVs usualy are.
All suggestions are welcome,
thanks,

- A2 CLI scanner (http://www.emsisoft.com/en/software/download/)
- Ewido CLI scanner (http://www.wilderssecurity.com/showthread.php?t=179337)
- McAfee CLI scanner (http://vil.nai.com/vil/virus-4d.aspx) (win_betaengdat.zip)
:)

over the last year, clam has scored really poor at shadowserver.

however, recently they always score high.

improvements/improved?....... maybe

only time will tell i suppose.


personally, id use something else. ;)

ClamAV isn't that bad as an on-demand scanner; it has one of the fastest response times. AFAIK, Dr.Web offers an up-to-date CLI scanner (paid IIRC)

-{ Quote: "ClamAV isn't that bad as an on-demand scanner; it has one of the fastest response times" }-
ClamAV, though much maligned here, does have some amazing response times due to it's open source nature. I see often 10 updates per day (vs. <1 per day for my current paid AV).
Detection rates however still remain mediocre at best when compared to the "big boys". Updates are tedious.
-{ Quote: "Dr.Web offers an up-to-date CLI scanner (paid IIRC)" }-
The Dr.'s Console Scanner may be your best bet, though it's not priced much lower than their AV for Windows.
Much depends on your "risk profile" with regards to detection efficacy required.

They all have drivers loaded, otherwise they could not access the file system fast enough. You must be up in arms about Bitdefender and its multiple services. Clam can be unloaded, what I am not sure of is if it stays loaded after it is run. Perhaps there is a command line option to unload it.

Please explain what happens with SSM. Is it when there is some event that causes SSM to give a warning the file is scanned?

-{ Quote: "over the last year, clam has scored really poor at shadowserver.
however, recently they always score high..." }-
Interesting. Yearly stats unimpressive, but weekly, monthly very impressive.
That is IF you put credence in Shadowserver's ratings (but that's a whole other thread :) ).

-{ Quote: "Interesting. Yearly stats unimpressive, but weekly, monthly very impressive.
That is IF you put credence in Shadowserver's ratings (but that's a whole other thread :) )." }-
regardless if you trust the testers or not, the results are from the same tester.

and recent ones are quite impressive, although over the year ... poor.

so maybe, its improving quite well Bob.

I suspect there has been a rel improvement. Every few days the yearly number for Clam moves up a bit reflecting more of the newer good performance and less of the old. You might notice some similar statistics for Avast.

-{ Quote: "regardless if you trust the testers or not, the results are from the same tester. and recent ones are quite impressive, although over the year ... poor. so maybe, its improving quite well Bob." }-
Obviously. Now I'm not qualified to judge Shadowserver's ratings...
But do you believe that the Clam is right on the heels of NOD32 & Antivir?
Or that it's detection (based on monthly, weekly stats) is superior to (dare I say it) DrWeb, or Kaspersky, Bitdefender and others?

-{ Quote: "Obviously. Now I'm not qualified to judge Shadowserver's ratings...
But do you believe that the Clam is right on the heels of NOD32 & Antivir?
Or that it's detection (based on monthly, weekly stats) is superior to (dare I say it) DrWeb, or Kaspersky, Bitdefender and others?" }-
these are zero day tests,

and if you look over the year, clam has performed poorly.

but very very recently, they score better than most.

they have to keep it up though, to improve their detection rates.

nod32 kaspersky and bitdefender dont seem to do very well at all.

-{ Quote: "...nod32 kaspersky and bitdefender dont seem to do very well at all." }-
Even the suggestion of the above will evoke flaming responses from NOD & KAV devotees, and the subsequent "Shadowserver's ratings are worthless" response!
They may be right? Dunno. We'll all keep an eye on the Clam though.

Cheers

-{ Quote: "Even the suggestion of the above will evoke flaming responses from NOD & KAV devotees, and the subsequent "Shadowserver's ratings are worthless" response!
They may be right? Dunno. We'll all keep an eye on the Clam though.

Cheers" }-
of course it will, i know that Bob.

dont matter,

thats what makes this place fun sometimes :D

Thank you all for your responses so far.

-{ Quote: "I see often 10 updates per day" }-

I have ClamWin running for a few days and I noticed the same, it looked pretty much active and 'alive'. So I thought to ask here.

-{ Quote: "- A2 CLI scanner
- Ewido CLI scanner
- McAfee CLI scanner (win_betaengdat.zip)" }-

thanks, I will try these to see how they run with SSM. Ewido looks appealing. It will take a few days though.

-{ Quote: "They all have drivers loaded, otherwise they could not access the file system fast enough." }-

Yes, what I meant is - not loaded all the time.

-{ Quote: "Please explain what happens with SSM. Is it when there is some event that causes SSM to give a warning the file is scanned?" }-

Every triggered event. You need to enter CL scanner path here -

197601

and then -

197602

Cheers,

@nick

That's an interesting concept. Sort of a hybrid on access scanner that only works when something else is happening.

I suppose if you are real careful about what you put on your machine, use HIPS or LUA/SRP or Anti-Executable and run full scans fairly regularly then on access scanning just might not accomplish that much. The frequent full scans are necessary because even an installer scanned for several times before its use might turn out to be bad later. The reality is I have never had a file go positive that did not have certain easily identifiable characteristics as to source and purpose. Those get to run in Sandboxie or a VM.

However, the real time scanner does pick up stuff that is packed and gets scanned while unpacking and attempting to run.

You may have noticed another one of my threads which alludes that when working with non mainstream files such as gray ware, game cheats etc. The detection characteristics of different AV's vary so much as to make it difficult to evaluate positives.

Sorry to destroy the image of clam yet again, it is bad. Really bad. It's technology is very very basic, and it cannot do anything against complex threats. It has detection routines for only 4 or 5 polymorphic threats, the rest of the detections is purely signature based. No emulation at all, runtime unpacking that doesn't even deserve the name as it does not properly rebuild the binaries for the very limited number of supported packers. No heuristics whatsoever (heuristics IMHO are doomed to fail in an open source project).

They are relatively fast at adding non-complex widespread threats, if those are simple to add (signature), but anything else is very likely to never get added at all.

And no, shadowserver stats don't show that part of an AV as the number of different threats in their stats is really low.

If you want it as a second opinion scanner, ok, but don't rely on it being even close to equal in terms of raw detection power to the top scanners around.

-{ Quote: "over the last year, clam has scored really poor at shadowserver.

however, recently they always score high.

improvements/improved?....... maybe

only time will tell i suppose.

personally, id use something else. ;)" }-

That's because they've recently added a 'PUA' feature that, for instance, tends to show as positive executables with certain packers.

-{ Quote: "That's because they've recently added a 'PUA' feature that, for instance, tends to show as positive executables with certain packers." }-

Bitdefender free does that as well, and I believe it can not be turned off as with Avira. The problem with this technique is lots of false positives.

As for Clam lacking Heuristics, the same could be said of several popular AV's inluding Avast and AVG.

One approach to this problem would be to install something like Avast or Avira without on access scanning, accept that a service or two will be running and see which one has the least effect on overall performance.

Hello

@all - please bear in mind that I am not really an AV type. Blacklists, packers-unpackers, heuristics and such mean very little to me. I could've as well went with no AV at all, but I thought since SSM is staying, why not make a use of it's features and integrate a CL scanner. I guess "Scan..." on the popup will be very rarely used, but I like to have it there just for the peace of mind (or for the heck of it), as I am still a recent NOD user. So Clam could've done it as well, but as it is -
a-squared fit perfectly (for now). There's a2update.dll, so I made a click-to-update icon. I have always updated NOD manually and I kinda miss something to update every day :)

-{ Quote: "You may have noticed another one of my threads which alludes that when working with non mainstream files such as gray ware, game cheats etc. The detection characteristics of different AV's vary so much as to make it difficult to evaluate positives." }-

I haven't, but I don't mind a FP here or there, especially with those you mention. With such software (game cheats, toolbars i.e.) FPs are quite expected. They can be (and are) annoying, but it's certainly not something I'd lose sleep over.

-{ Quote: "One approach to this problem would be to install something like Avast or Avira without on access scanning, accept that a service or two will be running and see which one has the least effect on overall performance." }-

I knew this was one of the options, and I was even considering it (accepting a running service for occasional scan), but I tend to be very strict about what is running and more importantly why. So I was kinda hoping to avoid this solution.

Again thank you all, I shall consider this matter settled. As I said - for now. More research pending...

Cheers,

-{ Quote: "(heuristics IMHO are doomed to fail in an open source project).
" }-
I'm curious to know why you think so. Is it a technical matter, or just a practical one? (the whole cat and mouse AV's play)

An open source heuristic/unpacking/emulation engine would be very easy to bypass.

Sure, but then your signatures would be more effective. You can only gain from it no?
I could even imagine a user selectable level of aggressiveness. If it is for a gateway, there could be a demand (for some people) to flag anything suspicious (FP's let them come).
Signatures alone don't give you any choice. It is or it isn't a known virus/trojan/etc.

-{ Quote: "An open source heuristic/unpacking/emulation engine would be very easy to bypass." }-

Your argument, apparently, is if the crooks know what the heuristics are, they could work around it. As far as unpacking an executable, or running it in a sandbox to unpack and scan it against a signature, there is no way that having the source code known would give the bad guys a better chance. As for the remaining heuristics, the present method of trial and error checking checking seems to work well enough for the bad guys.

-{ Quote: "as long as it satisfies all my needs - 0 resources, 0 drivers/services, CL scanner." }-
May want to try "Clam on a stick" (sounds good, huh?).
ClamAV on a USB portable stick with a convenient GUI.
Run entirely from USB memory stick. Updates (not automatic) have to be invoked.

-{ Quote: "Hello.
What I actually need is a dedicated on-demand AV with a command line scanner. A CL scanner is essential, as I want to integrate it in SSM. thanks," }-


F-PROT has a good one.

-{ Quote: "May want to try "Clam on a stick" (sounds good, huh?).
ClamAV on a USB portable stick with a convenient GUI.
Run entirely from USB memory stick. Updates (not automatic) have to be invoked." }-

LOL. Thanks, Bob, I'll take it. I am recently geared towards portable applications and this will be a nice addition. Besides, manual updating is just my kind of thing :)
I am becoming something of a Clam fan here. (AV wizardz on this forum are probably shaking their heads now)

-{ Quote: "F-PROT has a good one." }-

iirc F-PROT used to be famous for heuristics. Are they still? I'll have a look anyway. Thanks.

Avast professional edition provides a command line scanner . More information here (http://www.avast.com/eng/avast_4_professional.html) .

Maybe Moon Secure is something for you ?

http://www.moonsecure.com/

-{ Quote: "iirc F-PROT used to be famous for heuristics. Are they still? I'll have a look anyway. Thanks." }-
F-Prot for DOS uses an old engine and it's discontinued :(

-{ Quote: "LOL. Thanks, Bob, I'll take it........manual updating is just my kind of thing..." }-
Updating will need to be frequent.
9 updates already today.
(08 Feb was a busy day. 20 updates!)
Can monitor updates here:
http://lurker.clamav.net/list/clamav-virusdb.html